The recent cyber attacks on Pakistani financial institutions are of great concern to people. A financial bank suffered abnormal transactions valuing over Rs2.5 million on the morning of October 27, 2018. During the process of detection and recovery, the international payment card and domestic ATM cash withdrawal services were disrupted at the bank. Moreover, concerns over a further US$6 million worth of payments were reported to be allegedly carried out.
After this incident there have been more revelations — of up to nine banks withdrawing international debit card facility. This is in line with reports that Pakistani card details have become available in online underground markets; such markets have become a norm as part of the “dark web” which are essentially unregulated parts of the Internet that have emerged over the years to support a black economy to thrive and be marketised.
The scale of potential disruption from cyber attacks on banking services is not to be underestimated given the increasing reliance on online banking — everything, from ATMs to e-commerce.
A distributed denial of service (DDoS) attack on the RBS Group in the UK three years ago left millions of customers without access to their account for nearly an hour.
A DDoS attack is a complex and coordinated cyber attack that serves to undermine digital connected systems, reflecting on a high-tech form of crime that is purposeful, resourceful and timed for maximum effect. This year’s Global Risk Report places cyber attacks in the top five global risks, behind only extreme weather events and natural disasters. The Report by the World Economic Forum (WEF) said:
“Most attacks on critical and strategic systems have not succeeded — but the combination of isolated successes with a growing list of attempted attacks suggests that risks are increasing. And the world’s increasing interconnectedness and pace heightens our vulnerability to attacks that cause not only isolated and temporary disruptions, but radical and irreversible systemic shocks.”
Banks and financial institutions are acute targets as such given their critical role in the entire national ecosystems. A recent Brookings report on cyber risks and financial stability alludes to this argument on how financial markets can propagate and amplify such shocks, potentially leading to financial crises. One argues this is a sobering moment for the cyber security community interested in Pakistani financial institutions, as the potential for a domino effect, exposing vulnerabilities in the technical foundations of the banking sector of the country.
There has been an encouraging growth of online payment platforms in Pakistan. A large part of this is attributable to growth of business to consumer e-commerce. This of course was also helped by expanding internet access, branchless banking, improvements in 3G/4G services beyond first-tier cities, and a rising youth population which is educated and tech-savvy.
Consumers are gradually moving from the largely used cash-on-delivery mode to online payment options. This shift is rather slow owing to businesses themselves being reluctant to invest in development costs (including putting in place online security related measures) of online payment options.
To help the businesses and consumers find greater confidence in online payment options, the central bank has allowed third party service providers to provide payment gateways in Pakistan. The examples now include for example, Easypay and Fonepay. These are also providing the facility to allow payments through mobile wallet accounts such as EasyPaisa and JazzCash.
The central bank is also keen to promote use of information technology to support growth of small and medium enterprises. This among other ways can be achieved through the development of web-based market places which encourage e-commerce. There have been efforts now to promote innovation challenge funds which can support SME financing through technology.
In 2017, while foreseeing a foreign exchange crunch and looming pressures on the value of Pakistani rupee vis-à-vis other major currencies, the then government allowed remittances by workers abroad through m-wallets. This step apart from increasing dollar inflows was also aimed to boost financial inclusion and reducing cost and time taken to transfer of remittances back home.
While the above mentioned is indeed encouraging, unfortunately the recent cyber attack incident could invite further regulation by the central bank which could increase the transactions cost of businesses and consumers. The regulatory environment is already stifling the market players with oversight activities ranging from monitoring of payment gateway data, assessment of gateway trends, random checks on the degree of safety, onsite inspections, and offsite supervision. We understand from industry experts that a key reason for PayPal not coming in the country is excessive banking sector regulation.
But the cyber attack incident and stifling regulation in turn also has macroeconomic implications. Successive governments in Pakistan will have tried to promote greater formalisation of economy i.e. helping those operating in informal sector to formalise and become eligible to access scheduled finance and insurance facilities. This effort has been challenged as Pakistan remains a cash-based economy. Only about 15 per cent of Pakistan’s adult population has an active bank account. The natural disadvantage of this is that once people start to save too much in cash, this hinders the creation of money which in turn can be transformed into credit. This of course also has implications for future investment in the country.
As the central bank moves towards its ambition of allowing a separate category i.e. ‘Digital Banks’ to come into the market, it is equally important to have a greater understanding of: a) what to regulate and how; and b) how to allow a more ‘connected consumer’ the confidence to participate in electronic transactions in a secure manner. This is important as the banking sector and telecom industry wishes to promote mobile-commerce through almost 140 million subscribers out of which approximately 40 million are 3G/4G users. These numbers are set to rise as the turnover of smart phones in the country continues to be on the uptick.
The experts associated with FinTechs — startups which aim to use technology to provide innovative financial services — also inform of issues beyond an unfavourable regulatory environment and are particularly concerned about lack of systems that bring about greater data security, threats to intellectual property, difficulty of licensing, weak access to license holders and uncertain tax regime.
All of these problems get accentuated by the weak redressal provided to those who are already victims of cyber-attacks in Pakistan. More reliable online security mechanisms could also promote greater collaborations between the scheduled banking sector and FinTechs. However, it is the public sector which will have to share the costs of putting in place relatively more reliable security systems.
In responding to cyber attacks, which potentially target an entire sector as such, coordination across agencies, affected institutions, law enforcement and international actors is a key to the required solution. While global in nature, this has to be led nationally in response to incidents. Indeed, the quality of a state’s capacity to respond to cyber attacks is rapidly being recognised as an important element of global competitiveness. Such coordination could then be broken down to a number of steps.
First, ensuring the first line of defence is invoked. These include traditional measures of incident response to curtail the impact of the attack and prevent propagation across connected networks. The security industry has established a set of standards around immediate measures to disable and de-escalate such situations.
Secondly, for banking in particular, ensure that the client base and the wider public are reassured to avoid panic and confusion. This also has the secondary, but equally important, effect of calming stock markets and investors against any unwarranted reactions.
Finally, forensic audits and legal instruments deployed to coordinate collection of evidence and coordinate with domestic and international actors to help detect attackers. Some of this may even require diplomatic support and longer-term measures for transnational coordination. This has been recognised by world leaders as a necessary measure to avoid the risk of crippling economies.
The authors are associated with Coventry University, UK and Sustainable Development Policy Institute, Pakistan respectively.